我試圖了解 selinux 受限用戶的真正工作原理,但有一些行為我仍然無法理解。根據紅帽
stuff_u 用戶應該能夠運行 sudo,但不能運行 su。所以我創建了用戶某個用戶並將其映射到staff_u
[someuser@testserver ~]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
現在,如果我使用 sudo 添加完整權限,但沒有在 sudoers 上設定角色/類型,我將無法做太多事情(如預期的那樣)。
[someuser@testserver ~]$ sudo -l
Matching Defaults entries for someuser on testserver:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User someuser may run the following commands on testserver:
(ALL) NOPASSWD: ALL
[someuser@testserver ~]$ sudo ls -la /var/log/audit/audit.log
ls: cannot access '/var/log/audit/audit.log': Permission denied
[someuser@testserver ~]$ sudo ausearch -m avc -ts recent
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)
[someuser@testserver ~]$
如果我更改 sudoers 以轉換為 sysadm_r 和 sysadm_t,我希望基本上獲得執行任何操作的權限,但這並不完全是我所得到的。
我可以做很多事:
[someuser@testserver ~]$ sudo -l
Matching Defaults entries for someuser on testserver:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User someuser may run the following commands on testserver:
(ALL) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
[someuser@testserver ~]$ sudo ausearch -m avc -ts recent | wc -l
66
[someuser@testserver ~]$ sudo ls -la /var/log/audit/audit.log
-rw-------. 1 root root 1996980 Jul 30 12:55 /var/log/audit/audit.log
[someuser@testserver ~]$ sudo cat /var/log/audit/audit.log | wc -l
8172
[someuser@testserver ~]$
但有些命令仍然被阻止,例如 postfix 套件中的 postsuper。
[someuser@testserver ~]$ sudo postsuper
sesh: unable to execute /sbin/postsuper: Permission denied
[someuser@testserver ~]$ file /sbin/postsuper
/sbin/postsuper: cannot open `/sbin/postsuper' (Permission denied)
[someuser@testserver ~]$ sudo file /sbin/postsuper
/sbin/postsuper: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=aa0157870508c475195fe5fb1dafe5a9b3898a61, stripped
[someuser@testserver ~]$
誰能向我解釋一下原因嗎?最奇怪的是,我在 /var/log/audit/audit.log 上沒有看到 postsuper 命令的任何拒絕。但它必須與 SELINUX 有關,因為如果我將使用者更改回 unconfined_u,一切都會正常。